CVE-2026-2636

MEDIUM

Windows OS < 25H2 - Denial of Service via CLFS.sys Driver Inconsistency

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2026-2636. PoCs published by XiaomingX, XZ1r0, uname1able.

AI-analyzed exploit summary The repository contains minimal information about CVE-2026-2636, including target OS and compilation details, but lacks actual exploit code or technical analysis. It appears to be a placeholder or incomplete PoC.

Description

This vulnerability is caused by a CWE‑159: "Improper Handling of Invalid Use of Special Elements" weakness, which leads to an unrecoverable inconsistency in the CLFS.sys driver. This condition forces a call to the KeBugCheckEx function, allowing an unprivileged user to trigger a system crash. Microsoft silently fixed this vulnerability in the September 2025 cumulative update for Windows 11 2024 LTSC and Windows Server 2025. Windows 25H2 (released in September) was released with the patch. Windows 1123h2 and earlier versions remain vulnerable.

Exploits (4)

github STUB 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-2636

The repository contains minimal information about CVE-2026-2636, including target OS and compilation details, but lacks actual exploit code or technical analysis. It appears to be a placeholder or incomplete PoC.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Windows 11 23H2 (22631.5039) x64
No auth needed
Prerequisites: Windows 11 23H2 (22631.5039) x64 · Windows SDK 10.0 · Visual Studio 2022 (v143)
devstral-2 · analyzed Mar 06, 2026 Full analysis →
github WORKING POC
by XZ1r0 · pythonpoc
https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/windows/CVE-2026-2636_PoC

This repository contains a functional proof-of-concept exploit for CVE-2026-2636, a vulnerability in the Windows Common Log File System (CLFS) driver that allows an unprivileged user to trigger a BSoD by calling ReadFile on a handle opened via CreateLogFile. The PoC demonstrates the vulnerability by creating a log file and attempting to read from it, leading to an unrecoverable system state.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Windows CLFS.sys (versions before September 2025 cumulative update)
No auth needed
Prerequisites: Windows system with vulnerable CLFS.sys version
devstral-2 · analyzed May 21, 2026 Full analysis →
nomisec STUB
by uname1able · poc
https://github.com/uname1able/CVE-2026-2636

The repository contains minimal information about CVE-2026-2636, mentioning only the target OS (Windows 11 23H2) and basic compilation details without any actual exploit code or technical analysis.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Windows 11 23H2 (22631.5039) x64
No auth needed
Prerequisites: Windows 11 23H2 x64 environment · Windows SDK 10.0 · Visual Studio 2022 (v143)
devstral-2 · analyzed Mar 05, 2026 Full analysis →
nomisec WORKING POC
by oxfemale · poc
https://github.com/oxfemale/CVE-2026-2636_PoC

The repository contains a functional PoC for CVE-2026-2636, demonstrating a DoS vulnerability in CLFS.sys by triggering a BSoD via an unexpected sequence of ReadFile and CreateLogFile API calls. The PoC is minimal and does not require crafted files, relying on improper IRP flag handling.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Windows CLFS.sys (versions prior to September 2025 update)
No auth needed
Prerequisites: Windows system with vulnerable CLFS.sys · Unprivileged user access
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 5.5
EPSS 0.0006
EPSS Percentile 18.2%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-159
Status published
Products (2)
Microsoft/Windows OS < 1123h2
Microsoft/Windows OS < 25H2
Published Feb 25, 2026
Tracked Since Feb 26, 2026